Questions tagged [pci-dss]
An acronym for Payment Card Industry (PCI) Data Security Standard (DSS). A set of rules and policies for protecting information related to card based financial instruments.
688 questions
1vote
1answer
138views
Does PCI/DSS allow storing the cardholder's name a person entered (and not the real one)
I have an app where a person enters their card number, the cardholder's name, the expiration date and the cvv. I am now making it pci/dss-compliant. I will store the card number in an encrypted way. ...
- 113
2votes
1answer
170views
Would a domain registrar be considered a Service Provider for PCI compliance if it never touches its customer's card holder data?
Hypothetical: Company A accepts credit card payments and must be PCI compliant. Company B provides domain registration (but not DNS or web hosting) services to Company A. Some of these domains are ...
3votes
1answer
125views
PCI DSS SAQ A qualification - what counts as a 'found' vulnerability?
This Q pertains to PCI DSS v4.0 SAQ A - previous Q&A only touched on previous versions of PCI. Since 4.0, merchants that accept credit card payment, even if they only iframe or link to their ...
- 131
5votes
0answers
51views
PCI-DSS Scope - How to determine client scope segmentation
We are a medium sized organization and use Payment Service Providers for all purchases, including credit card and non-credit card purchases. We get yearly audits and our internal payments platform is ...
- 51
6votes
1answer
189views
How do payment facilitators like Stripe handle the PCI DSS requirement to periodically inspect POI devices?
Payment facilitators like Stripe provide card payment terminals to their customers. These devices must be periodically inspected, per requirement 9.5.1.2. How does the payment facilitator handle this, ...
- 161
0votes
1answer
61views
Practical advise on completing PCI DSS SAQ [closed]
I have established that my business needs to complete a PCI DSS SAQ-D form for attesting PCI compliance... twice - once as a merchant and once as a service provider! Even completing it once is a ...
- 133
1vote
1answer
43views
PCI Compliance for Contract Management Software with User-Entered Card Data
I'm evaluating a contract management software that claims PCI compliance for my CC data. However, I am going to use the software to issue contracts to my customers where they directly enter credit ...
0votes
0answers
73views
PCI 4.0 Assessment for Service Provider that doesn't have a CDE
What type of PCI 4.0 Assessment are Service Providers doing when they have no CDE, they do not accept or process credit cards, but instead use another service provider for those services?
25votes
3answers
7kviews
Why is the absence of a Content-Type header with a HTTP 204 response considered a security vulnerability and what should we do about it?
We have recently developed a web application with a RESTful API backend. This web app need to have a certain security certification (something called PCI-DSS), and thus it is being scanned ...
- 353
2votes
1answer
171views
Can CVV be input in a standard web site? The site doesn't store it
On my website, payments are done using a PCI-compliant 3rd partner. If the client agrees, I store a TOKEN of the card (returned by the PCI partner). I want to make a new payment with CVV for the ...
1vote
1answer
109views
interchangeable IDs for login under PCI DSS like Facebook and Twitter
Is using multiple interchangeable IDs a PCI DSS complaint? Facebook and Twitter uses the same method for sign in. multiple interchangeable IDs such as sign in with email or mobile or username.
- 113
2votes
1answer
646views
PCI DSS 4.0 - Are SSH tunnels and gateways doomed?
I won't lie, I am not a security expert and I am likely one of them guys in them companies whom working life proficiency is to slowly become little annoying. I work for a company complying with PCI ...
1vote
2answers
3kviews
Can I use GitHub and be PCI DSS 4.0 compliant?
Is it possible to use any remote DVCS (GitHub, Bitbucket, etc.) with PCI DSS or should I host Git on my own server? The repo obviously doesn't store any sensitive CHD information and I do have my own ...
- 511
2votes
1answer
618views
How to Approach CVEs Marked as "DISPUTED" and "WON'T FIX" in PCI-DSS Pentest
When conducting penetration testing in a PCI-DSS compliance context, we found a known security vulnerability that's identified by a CVE number. In this case, the finding in question is CVE-2016-20012, ...
- 21
1vote
1answer
579views
PCI compliance - use of ANSI X9.17 for export keys
we have a concern about a key export. We completed the migration to Key Block LMK in our environment (with HSM Thales 10K). Now, we have to exchange keys with third-parties that still use Keys in ...
- 21
